diff --git a/04-gitea/values.yaml b/04-gitea/values.yaml
index 9ee454c..cda6c5f 100644
--- a/04-gitea/values.yaml
+++ b/04-gitea/values.yaml
@@ -17,6 +17,8 @@ gitea:
       TYPE: level
     packages:
       ENABLED: true
+    actions:
+      ENABLED: true
 
 persistence:
   enabled: true
diff --git a/08-gitea-runner/runner.yaml b/08-gitea-runner/runner.yaml
new file mode 100644
index 0000000..9ae91bc
--- /dev/null
+++ b/08-gitea-runner/runner.yaml
@@ -0,0 +1,122 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea-runner
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: runner-secret
+  namespace: gitea-runner
+stringData:
+  token: "m7uOZcE8st7MtvjI2YThQy6em5GoCs2TPMXSnvdV"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: runner-config
+  namespace: gitea-runner
+data:
+  config.yaml: |
+    log:
+      level: info
+    runner:
+      file: .runner
+      capacity: 1
+      timeout: 1h
+      labels:
+        - "ubuntu-latest:docker://node:20-bookworm"
+        - "ubuntu-22.04:docker://node:20-bookworm"
+    container:
+      network: ""
+      privileged: true
+      options: ""
+      workdir_parent: /workspace
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-runner
+  namespace: gitea-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+    spec:
+      containers:
+        - name: runner
+          image: gitea/act_runner:latest
+          env:
+            - name: DOCKER_HOST
+              value: tcp://localhost:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/client
+          command: ["sh", "-c"]
+          args:
+            - |
+              while ! nc -z localhost 2376; do sleep 1; done
+              act_runner register --no-interactive \
+                --instance http://gitea-http.gitea.svc.cluster.local:3000 \
+                --token "$(cat /secret/token)" \
+                --name k3s-runner \
+                --config /config/config.yaml \
+                --labels "ubuntu-latest:docker://node:20-bookworm,ubuntu-22.04:docker://node:20-bookworm"
+              act_runner daemon --config /config/config.yaml
+          volumeMounts:
+            - name: secret
+              mountPath: /secret
+              readOnly: true
+            - name: config
+              mountPath: /config
+              readOnly: true
+            - name: certs
+              mountPath: /certs
+              readOnly: true
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+        - name: dind
+          image: docker:27-dind
+          securityContext:
+            privileged: true
+          env:
+            - name: DOCKER_TLS_CERTDIR
+              value: /certs
+          volumeMounts:
+            - name: certs
+              mountPath: /certs
+            - name: dind-storage
+              mountPath: /var/lib/docker
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              cpu: 2000m
+              memory: 2Gi
+      volumes:
+        - name: secret
+          secret:
+            secretName: runner-secret
+        - name: config
+          configMap:
+            name: runner-config
+        - name: certs
+          emptyDir: {}
+        - name: data
+          emptyDir: {}
+        - name: dind-storage
+          emptyDir: {}